CVE-2026-9065
Authenticated SQL Injection in SureCart Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| surecart | surecart | to 4.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9065 is an authenticated SQL injection vulnerability in SureCart versions prior to 4.2.1. It affects multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'.
The root cause is a flaw in the query builder ('wp-query-builder') where values passed to the 'where()' method are only sanitized if they do not contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot in the payload, an attacker can bypass the escaping logic and inject arbitrary SQL into the 'WHERE' clause.
This allows attackers to perform full UNION-based extraction of the database.
How can this vulnerability impact me? :
This vulnerability allows authenticated attackers to inject arbitrary SQL queries, which can lead to unauthorized access to sensitive data stored in the database.
Attackers can extract data using UNION-based SQL injection, potentially exposing confidential information.
Because the vulnerability requires authentication, it may be exploited by users with some level of access, increasing the risk of insider threats or compromised accounts.
The high CVSSv4 score of 9.3 indicates a severe impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves authenticated SQL injection via specific parameters in the REST API endpoint '/surecart/v1/integrations/{id}'. Detection would typically involve monitoring or testing these parameters ('model_name', 'model_id', 'integration_id', 'provider') for SQL injection attempts.
Since the vulnerability requires authentication and targets a REST API endpoint, detection can be done by sending crafted requests to the endpoint with payloads containing dots ('.') in these parameters to see if the system behaves unexpectedly or returns SQL errors.
- Use curl or similar tools to send authenticated requests to the endpoint with payloads containing dots in the parameters, for example:
- curl -X GET 'https://yourdomain.com/surecart/v1/integrations/1' -H 'Authorization: Bearer <token>' -d 'model_name=1.1'
- Look for SQL error messages or unusual responses indicating injection.
Additionally, monitoring logs for unusual or malformed requests to this endpoint or unexpected database errors can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade SureCart to version 4.2.1 or later, where this vulnerability has been fixed.
Since the vulnerability requires authenticated access, ensure that access to the REST API endpoint '/surecart/v1/integrations/{id}' is restricted to trusted users only.
If upgrading immediately is not possible, consider implementing additional access controls or monitoring to detect and block suspicious requests targeting the vulnerable parameters.